

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>CephFS 客户端能力 &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  
    <link rel="shortcut icon" href="../../_static/favicon.ico"/>
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/underscore.js"></script>
        <script src="../../_static/doctools.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="挂载 CephFS ：先决条件" href="../mount-prerequisites/" />
    <link rel="prev" title="客户端配置" href="../client-config-ref/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    

















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="../../" class="icon icon-home"></a> &raquo;</li>
        
          <li><a href="../">Ceph 文件系统</a> &raquo;</li>
        
      <li>CephFS 客户端能力</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
          
            <a href="../../_sources/cephfs/client-auth.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../">
          

          
            
            <img src="../../_static/logo.png" class="logo" alt="Logo"/>
          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/intro/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Ceph 文件系统</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../#cephfs">CephFS 入门</a></li>
<li class="toctree-l2"><a class="reference internal" href="../#id4">管理</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="../#id5">挂载 CephFS</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../client-config-ref/"> 客户端配置选项</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#"> 客户端认证</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#id1">路径限定</a></li>
<li class="toctree-l4"><a class="reference internal" href="#p">布局和配额限定（ p 标记）</a></li>
<li class="toctree-l4"><a class="reference internal" href="#s">快照限定（ s 标记）</a></li>
<li class="toctree-l4"><a class="reference internal" href="#id5">网络限定</a></li>
<li class="toctree-l4"><a class="reference internal" href="#file-system-information-restriction">File system Information Restriction</a></li>
<li class="toctree-l4"><a class="reference internal" href="#mds-communication-restriction">MDS communication restriction</a></li>
<li class="toctree-l4"><a class="reference internal" href="#root-squash">Root squash</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../mount-prerequisites/"> 挂载 CephFS: 前提条件</a></li>
<li class="toctree-l3"><a class="reference internal" href="../mount-using-kernel-driver/"> 用内核驱动挂载 CephFS 文件系统</a></li>
<li class="toctree-l3"><a class="reference internal" href="../mount-using-fuse/"> 用 FUSE 挂载 CephFS</a></li>
<li class="toctree-l3"><a class="reference internal" href="../ceph-dokan/"> 在 Windows 上挂载 CephFS</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../man/8/cephfs-shell/"> CephFS Shell 的用法</a></li>
<li class="toctree-l3"><a class="reference internal" href="../kernel-features/"> 内核驱动支持的功能</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../man/8/ceph-fuse/"> ceph-fuse 手册页</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../man/8/mount.ceph/"> mount.ceph 手册页</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../man/8/mount.fuse.ceph/"> mount.fuse.ceph 手册页</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../#id6">CephFS 内幕</a></li>
<li class="toctree-l2"><a class="reference internal" href="../#id7">故障排除和灾难恢复</a></li>
<li class="toctree-l2"><a class="reference internal" href="../#id9">更多细节</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../radosgw/">Ceph 对象网关</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <div class="section" id="cephfs">
<h1>CephFS 客户端能力<a class="headerlink" href="#cephfs" title="Permalink to this headline">¶</a></h1>
<p>通过 Ceph 鉴权能力，你可以把文件系统客户端所需权限限制到尽可能低的水平。</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>路径限定和布局更改限定是 Ceph 从 Jewel 版起才具备的新功能。</p>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Using Erasure Coded(EC) pools with CephFS is supported only with the
BlueStore Backend. They cannot be used as metadata pools and overwrites must
be enabled on the data pools.</p>
</div>
<div class="section" id="id1">
<h2>路径限定<a class="headerlink" href="#id1" title="Permalink to this headline">¶</a></h2>
<p>默认情况下，客户端不会被限制只能挂载某些目录；而且，当客户端挂载了一个子目录后，如 <code class="docutils literal notranslate"><span class="pre">/home/user</span></code> ， MDS 默认情况下也不会检查后续操作都“锁定”在那个目录里面。</p>
<p>要把客户端限定为只能挂载某个特定目录、且只能在其内工作，可以用基于路径的 MDS 鉴权能力实现。</p>
<div class="section" id="id2">
<h3>语法<a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h3>
<p>如果只想授予指定目录读写（ rw ）权限，我们在给这个客户端创建密钥时就要提及这个目录，语法如下：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">fs</span> <span class="n">authorize</span> <span class="o">&lt;</span><span class="n">fs_name</span><span class="o">&gt;</span> <span class="n">client</span><span class="o">.&lt;</span><span class="n">client_id</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="n">path</span><span class="o">-</span><span class="ow">in</span><span class="o">-</span><span class="n">cephfs</span><span class="o">&gt;</span> <span class="n">rw</span>
</pre></div>
</div>
<p>比如，要想把 <code class="docutils literal notranslate"><span class="pre">foo</span></code> 客户端限定为只能在 <code class="docutils literal notranslate"><span class="pre">cephfs_a</span></code> 文件系统的
<code class="docutils literal notranslate"><span class="pre">bar</span></code> 目录下写，命令如下：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">fs</span> <span class="n">authorize</span> <span class="n">cephfs_a</span> <span class="n">client</span><span class="o">.</span><span class="n">foo</span> <span class="o">/</span> <span class="n">r</span> <span class="o">/</span><span class="n">bar</span> <span class="n">rw</span>

<span class="n">results</span> <span class="ow">in</span><span class="p">:</span>

<span class="n">client</span><span class="o">.</span><span class="n">foo</span>
  <span class="n">key</span><span class="p">:</span> <span class="o">*</span><span class="n">key</span><span class="o">*</span>
  <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mds</span><span class="p">]</span> <span class="n">allow</span> <span class="n">r</span><span class="p">,</span> <span class="n">allow</span> <span class="n">rw</span> <span class="n">path</span><span class="o">=/</span><span class="n">bar</span>
  <span class="n">caps</span>  <span class="p">[</span><span class="n">mon</span><span class="p">]</span> <span class="n">allow</span> <span class="n">r</span>
  <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">osd</span><span class="p">]</span> <span class="n">allow</span> <span class="n">rw</span> <span class="n">tag</span> <span class="n">cephfs_a</span> <span class="n">data</span><span class="o">=</span><span class="n">cephfs_a</span>
</pre></div>
</div>
<p>要完全把此客户端限定在 <code class="docutils literal notranslate"><span class="pre">bar</span></code> 目录下，去掉根目录即可：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span> <span class="n">fs</span> <span class="n">authorize</span> <span class="n">cephfs</span> <span class="n">client</span><span class="o">.</span><span class="n">foo</span> <span class="o">/</span><span class="n">bar</span> <span class="n">rw</span>
</pre></div>
</div>
<p>需要注意的是，如果一个客户端的读权限被限定到了某一路径，它们就只能挂载文件系统下的这个可读路径，在挂载命令里必须指定（如下）。</p>
<p>文件系统名指定为 <code class="docutils literal notranslate"><span class="pre">all</span></code> 或 <code class="docutils literal notranslate"><span class="pre">*</span></code> 时，权限将授予每个文件系统。注意，一般都得给 <code class="docutils literal notranslate"><span class="pre">*</span></code> 加引号，以免被 shell 误用。</p>
<p>关于用户管理的细节，请参阅<a class="reference external" href="../../rados/operations/user-management/#add-a-user-to-a-keyring">用户管理 - 把用户加入密钥环</a>。</p>
<p>要把客户端限定于指定的子目录，在挂载时还需指定这个目录，语法如下：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span><span class="o">-</span><span class="n">fuse</span> <span class="o">-</span><span class="n">n</span> <span class="n">client</span><span class="o">.*</span><span class="n">client_name</span><span class="o">*</span> <span class="o">*</span><span class="n">mount_path</span><span class="o">*</span> <span class="o">-</span><span class="n">r</span> <span class="o">*</span><span class="n">directory_to_be_mounted</span><span class="o">*</span>
</pre></div>
</div>
<p>例如，要把客户端 <code class="docutils literal notranslate"><span class="pre">foo</span></code> 限定于 <code class="docutils literal notranslate"><span class="pre">mnt/bar</span></code> 目录，命令是：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ceph</span><span class="o">-</span><span class="n">fuse</span> <span class="o">-</span><span class="n">n</span> <span class="n">client</span><span class="o">.</span><span class="n">foo</span> <span class="n">mnt</span> <span class="o">-</span><span class="n">r</span> <span class="o">/</span><span class="n">bar</span>
</pre></div>
</div>
</div>
<div class="section" id="id3">
<h3>报告的空闲空间<a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h3>
<p>默认情况下，在客户端挂载子目录时，报告的已用空间（ <code class="docutils literal notranslate"><span class="pre">df</span></code> ）是根据这个子目录的配额计算出来的，而不是整个集群的已用空间。</p>
<p>如果你想让客户端报告整个文件系统的总体使用情况，而不止是已挂载子目录的配额使用情况，可以给客户端加如下配置：</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">client</span> <span class="n">quota</span> <span class="n">df</span> <span class="o">=</span> <span class="n">false</span>
</pre></div>
</div>
<p>如果没有启用配额、或者没有给挂载的子目录设置配额，那么不管这个选项配置成什么，都会报告整个文件系统的使用情况。</p>
</div>
</div>
<div class="section" id="p">
<h2>布局和配额限定（ p 标记）<a class="headerlink" href="#p" title="Permalink to this headline">¶</a></h2>
<p>要设置布局或配额，客户端不但得有 rw 标记，还得有 p 标记。这种方法会限制所有以 <code class="docutils literal notranslate"><span class="pre">ceph.</span></code> 为前缀的特殊扩展属性、也会限制以其它方法配置这些字段（如对布局进行 openc 操作）。</p>
<p>例如，在下面的配置片段中， client.0 可以更改 cephfs_a 文件系统的布局和配额，而 client.1 却不能。</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">client</span><span class="mf">.0</span>
    <span class="n">key</span><span class="p">:</span> <span class="n">AQAz7EVWygILFRAAdIcuJ12opU</span><span class="o">/</span><span class="n">JKyfFmxhuaw</span><span class="o">==</span>
    <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mds</span><span class="p">]</span> <span class="n">allow</span> <span class="n">rwp</span>
    <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mon</span><span class="p">]</span> <span class="n">allow</span> <span class="n">r</span>
    <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">osd</span><span class="p">]</span> <span class="n">allow</span> <span class="n">rw</span> <span class="n">tag</span> <span class="n">cephfs</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span>

<span class="n">client</span><span class="mf">.1</span>
    <span class="n">key</span><span class="p">:</span> <span class="n">AQAz7EVWygILFRAAdIcuJ12opU</span><span class="o">/</span><span class="n">JKyfFmxhuaw</span><span class="o">==</span>
    <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mds</span><span class="p">]</span> <span class="n">allow</span> <span class="n">rw</span>
    <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mon</span><span class="p">]</span> <span class="n">allow</span> <span class="n">r</span>
    <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">osd</span><span class="p">]</span> <span class="n">allow</span> <span class="n">rw</span> <span class="n">tag</span> <span class="n">cephfs</span> <span class="n">data</span><span class="o">=</span><span class="n">data</span>
</pre></div>
</div>
</div>
<div class="section" id="s">
<h2>快照限定（ s 标记）<a class="headerlink" href="#s" title="Permalink to this headline">¶</a></h2>
<p>To create or delete snapshots, clients require the ‘s’ flag in addition to
‘rw’. Note that when capability string also contains the ‘p’ flag, the ‘s’
flag must appear after it (all flags except ‘rw’ must be specified in
alphabetical order).</p>
<p>For example, in the following snippet client.0 can create or delete snapshots
in the <code class="docutils literal notranslate"><span class="pre">bar</span></code> directory of file system <code class="docutils literal notranslate"><span class="pre">cephfs_a</span></code>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">client</span><span class="mf">.0</span>
    <span class="n">key</span><span class="p">:</span> <span class="n">AQAz7EVWygILFRAAdIcuJ12opU</span><span class="o">/</span><span class="n">JKyfFmxhuaw</span><span class="o">==</span>
    <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mds</span><span class="p">]</span> <span class="n">allow</span> <span class="n">rw</span><span class="p">,</span> <span class="n">allow</span> <span class="n">rws</span> <span class="n">path</span><span class="o">=/</span><span class="n">bar</span>
    <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mon</span><span class="p">]</span> <span class="n">allow</span> <span class="n">r</span>
    <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">osd</span><span class="p">]</span> <span class="n">allow</span> <span class="n">rw</span> <span class="n">tag</span> <span class="n">cephfs</span> <span class="n">data</span><span class="o">=</span><span class="n">cephfs_a</span>
</pre></div>
</div>
</div>
<div class="section" id="id5">
<h2>网络限定<a class="headerlink" href="#id5" title="Permalink to this headline">¶</a></h2>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">client</span><span class="o">.</span><span class="n">foo</span>
  <span class="n">key</span><span class="p">:</span> <span class="o">*</span><span class="n">key</span><span class="o">*</span>
  <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mds</span><span class="p">]</span> <span class="n">allow</span> <span class="n">r</span> <span class="n">network</span> <span class="mf">10.0.0.0</span><span class="o">/</span><span class="mi">8</span><span class="p">,</span> <span class="n">allow</span> <span class="n">rw</span> <span class="n">path</span><span class="o">=/</span><span class="n">bar</span> <span class="n">network</span> <span class="mf">10.0.0.0</span><span class="o">/</span><span class="mi">8</span>
  <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">mon</span><span class="p">]</span> <span class="n">allow</span> <span class="n">r</span> <span class="n">network</span> <span class="mf">10.0.0.0</span><span class="o">/</span><span class="mi">8</span>
  <span class="n">caps</span><span class="p">:</span> <span class="p">[</span><span class="n">osd</span><span class="p">]</span> <span class="n">allow</span> <span class="n">rw</span> <span class="n">tag</span> <span class="n">cephfs</span> <span class="n">data</span><span class="o">=</span><span class="n">cephfs_a</span> <span class="n">network</span> <span class="mf">10.0.0.0</span><span class="o">/</span><span class="mi">8</span>
</pre></div>
</div>
<p>The optional <code class="docutils literal notranslate"><span class="pre">{network/prefix}</span></code> is a standard network name and
prefix length in CIDR notation (e.g., <code class="docutils literal notranslate"><span class="pre">10.3.0.0/16</span></code>).  If present,
the use of this capability is restricted to clients connecting from
this network.</p>
</div>
<div class="section" id="file-system-information-restriction">
<span id="fs-authorize-multifs"></span><h2>File system Information Restriction<a class="headerlink" href="#file-system-information-restriction" title="Permalink to this headline">¶</a></h2>
<p>If desired, the monitor cluster can present a limited view of the file systems
available. In this case, the monitor cluster will only inform clients about
file systems specified by the administrator. Other file systems will not be
reported and commands affecting them will fail as if the file systems do
not exist.</p>
<p>Consider following example. The Ceph cluster has 2 FSs:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ ceph fs ls
name: cephfs, metadata pool: cephfs_metadata, data pools: [cephfs_data ]
name: cephfs2, metadata pool: cephfs2_metadata, data pools: [cephfs2_data ]
</pre></div>
</div>
<p>But we authorize client <code class="docutils literal notranslate"><span class="pre">someuser</span></code> for only one FS:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ ceph fs authorize cephfs client.someuser / rw
[client.someuser]
    key = AQAmthpf89M+JhAAiHDYQkMiCq3x+J0n9e8REQ==
$ cat ceph.client.someuser.keyring
[client.someuser]
    key = AQAmthpf89M+JhAAiHDYQkMiCq3x+J0n9e8REQ==
    caps mds = &quot;allow rw fsname=cephfs&quot;
    caps mon = &quot;allow r fsname=cephfs&quot;
    caps osd = &quot;allow rw tag cephfs data=cephfs&quot;
</pre></div>
</div>
<p>And the client can only see the FS that it has authorization for:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ ceph fs ls -n client.someuser -k ceph.client.someuser.keyring
name: cephfs, metadata pool: cephfs_metadata, data pools: [cephfs_data ]
</pre></div>
</div>
<p>Standby MDS daemons will always be displayed. Note that the information about
restricted MDS daemons and file systems may become available by other means,
such as <code class="docutils literal notranslate"><span class="pre">ceph</span> <span class="pre">health</span> <span class="pre">detail</span></code>.</p>
</div>
<div class="section" id="mds-communication-restriction">
<h2>MDS communication restriction<a class="headerlink" href="#mds-communication-restriction" title="Permalink to this headline">¶</a></h2>
<p>By default, user applications may communicate with any MDS, whether or not
they are allowed to modify data on an associated file system (see
<cite>Path restriction</cite> above). Client’s communication can be restricted to MDS
daemons associated with particular file system(s) by adding MDS caps for that
particular file system. Consider the following example where the Ceph cluster
has 2 FSs:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ ceph fs ls
name: cephfs, metadata pool: cephfs_metadata, data pools: [cephfs_data ]
name: cephfs2, metadata pool: cephfs2_metadata, data pools: [cephfs2_data ]
</pre></div>
</div>
<p>Client <code class="docutils literal notranslate"><span class="pre">someuser</span></code> is authorized only for one FS:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ ceph fs authorize cephfs client.someuser / rw
[client.someuser]
    key = AQBPSARfg8hCJRAAEegIxjlm7VkHuiuntm6wsA==
$ ceph auth get client.someuser &gt; ceph.client.someuser.keyring
exported keyring for client.someuser
$ cat ceph.client.someuser.keyring
[client.someuser]
    key = AQBPSARfg8hCJRAAEegIxjlm7VkHuiuntm6wsA==
    caps mds = &quot;allow rw fsname=cephfs&quot;
    caps mon = &quot;allow r&quot;
    caps osd = &quot;allow rw tag cephfs data=cephfs&quot;
</pre></div>
</div>
<p>Mounting <code class="docutils literal notranslate"><span class="pre">cephfs1</span></code> with <code class="docutils literal notranslate"><span class="pre">someuser</span></code> works:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ sudo ceph-fuse /mnt/cephfs1 -n client.someuser -k ceph.client.someuser.keyring --client-fs=cephfs
ceph-fuse[96634]: starting ceph client
ceph-fuse[96634]: starting fuse
$ mount | grep ceph-fuse
ceph-fuse on /mnt/cephfs1 type fuse.ceph-fuse (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
</pre></div>
</div>
<p>But mounting <code class="docutils literal notranslate"><span class="pre">cephfs2</span></code> does not:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ sudo ceph-fuse /mnt/cephfs2 -n client.someuser -k ceph.client.someuser.keyring --client-fs=cephfs2
ceph-fuse[96599]: starting ceph client
ceph-fuse[96599]: ceph mount failed with (1) Operation not permitted
</pre></div>
</div>
</div>
<div class="section" id="root-squash">
<h2>Root squash<a class="headerlink" href="#root-squash" title="Permalink to this headline">¶</a></h2>
<p>The <code class="docutils literal notranslate"><span class="pre">root</span> <span class="pre">squash</span></code> feature is implemented as a safety measure to prevent
scenarios such as accidental <code class="docutils literal notranslate"><span class="pre">sudo</span> <span class="pre">rm</span> <span class="pre">-rf</span> <span class="pre">/path</span></code>. You can enable
<code class="docutils literal notranslate"><span class="pre">root_squash</span></code> mode in MDS caps to disallow clients with uid=0 or gid=0 to
perform write access operations – e.g., rm, rmdir, rmsnap, mkdir, mksnap.
However, the mode allows the read operations of a root client unlike in
other file systems.</p>
<p>Following is an example of enabling root_squash in a filesystem except within
‘/volumes’ directory tree in the filesystem:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ ceph fs authorize a client.test_a / rw root_squash /volumes rw
$ ceph auth get client.test_a
[client.test_a]
    key = AQBZcDpfEbEUKxAADk14VflBXt71rL9D966mYA==
    caps mds = &quot;allow rw fsname=a root_squash, allow rw fsname=a path=/volumes&quot;
    caps mon = &quot;allow r fsname=a&quot;
    caps osd = &quot;allow rw tag cephfs data=a&quot;
</pre></div>
</div>
</div>
</div>



           </div>
           
          </div>
          <footer>
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
        <a href="../mount-prerequisites/" class="btn btn-neutral float-right" title="挂载 CephFS ：先决条件" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
        <a href="../client-config-ref/" class="btn btn-neutral float-left" title="客户端配置" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>
        &#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).

    </p>
  </div> 

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>